Voter Verification of Ballot Needed to Make Computerized Voting Safe
Unless paper copies of ballot choices are made to allow for recounts, computerized voting systems are far too vulnerable to software bugs or tampering to be relied on, according to Dr. Barbara Simons, a computer science researcher now retired from IBM Research. Simons, a past president of the Association for Computing Machinery and co-chair of its public policy committee, spoke on "Electronic Voting Machines: Will Your Vote Count 0, 1 or Many Times?" Sept. 15 at the invitation of the Virginia Society of Law and Technology. Professor Dan Ortiz joined her, surveying the perennial issues in election fraud to introduce the latest permutation.
To direct her listeners to where the problem lies, Simons quoted Josef Stalin, who, with an insight so natural to a dictator, said, "Those who cast votes decide nothing. Those who count votes decide everything."
With the Florida vote counting debacle of 2000 spurring them on, Congress passed the Help America Vote Act of 2002, turning to computing for voting salvation. The Act authorized $3.8 billion to pay for computerized voting equipment, such as Direct Recording Electronic voting systems (DREs) or optical scanning systems. The act requires that all punch card and lever machines be replaced by 2004, or, if a waiver is granted, by 2006 at the latest. The law authorized the National Institute of Standards and Technology to set standards for the machines, but so far "no reasonable ones exist," Simons said, because Congress did not allocate money to pay for them.
The fact is that "far too chummy relationships exist between election officials and vendors," Simons said. Policymakers often don't understand the technical implications of a policy, such as the risks of creating centralized databases of registered voters in every state and thus making a single security breech potentially disastrous, said Simons.
DREs commonly have touch screens, though some have knobs or switches. Experts warn that programmers are capable of writing computing code that could falsify votes any number of ways, all while the machine's screen duplicitously shows the voter the selections he or she actually entered. Such "Trojan Horse" techniques for falsely recording or tallying votes could be very difficult to find or prevent, especially with the inadequate level of testing done today. Or, as another example, software could be corrupted by someone programming it to respond to a pattern of selections, entered by accomplice voters, that causes the software to execute a cheating plan of phony votes.
Simons said computer security experts who've looked at the problem agree that a permanent record of every ballot cast is essential so that recounts are possible. In fact, she said, the proper starting point for designing an electronic voting system would be to figure out which system makes recounting the easiest and proceed from there.
Simons credited California Secretary of State Kevin Shelley with taking the right position. Shelley insists that by 2005 all new touch screen machines in his state produce a voter-verified paper trail and that machines are "parallel tested" (a check of randomly selected machines taken out of service on election day to perform a simulated election in which a final tally is known beforehand). California law requires manual recounts of 1 percent of the ballots in randomly selected precincts.
Paper trails would not produce "receipts"-a term Simons acknowledged but objected to-because those could enable vote-selling if they could be taken away from the polling place. Rather, voters would be shown a record of their choices, perhaps behind a glass panel, and they would confirm them, or cancel and reselect. Once verified, their votes would be recorded in the machine where they could be consulted in case of a recount. "The idea is that there needs to be an unchangeable record that can be verified by the voter," said Simons.
DREs would have to be refitted to make this possible, but optical scan voting systems automatically create voter verified paper ballots, since the voters mark optically scannable paper ballots that are then counted by optical scan readers/counters. "Retrofitting DREs to print paper ballots is not a great solution," said Simons. "It would be better, in my opinion, if we could eliminate the DREs and replace them with better designed systems. Unfortunately, so much money has been spent on some of these systems that it will be difficult to get them replaced."
She described the software in current machines as "very buggy." It has been developed and tested in secret and the test results are kept secret, its vendors saying they are protecting proprietary information. "The only reason it's secret is to hide the bugs," Simons said. "I'd like to see the software made entirely public."
Vendors also invoke a "security through obscurity" defense, she said, claiming that software is more difficult to penetrate if it's kept secret. "The best way to plan computer security is to assume an adversary knows everything and yet you are still secure," Simons said. The typical test of security is to attack the software, devise fixes when ways to compromise it are found, and repeat the hacking, always assuming that undiscovered openings still remain. "Even if the machines were well tested, "it still could be difficult to tell if malicious software is influencing the outcome," she said.
"Vendors don't talk about the storage and delivery issues," times when a machine could be vulnerable to tampering, she added.
Meanwhile, DREs have been purchased to handle 30 percent of American elections. Georgia conducted its 2002 elections with machines purchased from Diebold, the nation's largest maker of ATMs. Simons called the company "a poster child" for DRE security issues. According to pre-election and exit polling results, incumbent democratic Sen. Max Cleland was expected to win in 2002, but lost in an upset. Some Georgians suspect the voting machines were tampered with, Simons said, "but we don't know." The Diebold machines do not create any paper trail to check.
"It's not a Democrat vs. Republican issue," she said. "Some Republicans feel they've been cheated too."
The problem with Diebold's system, she said, is that it was "built on insecurities in the Microsoft Windows system that can't be fixed." Some of those securities were undoubtedly unknown when Diebold created their software, she explained. "But the Diebold software is so un-robust that attempts by the State of Maryland to install recently issued Microsoft security patches made the voting software crash."
Some election officials are worried that if the problem with electronic voting gets exposed that people will be discouraged from voting. Simon says the public is worse off not being told.
Even if electronic voting systems need further refinement to be fully trustworthy, Simons strongly urged everyone to exercise their right to vote. "Everyone should vote," Simons said, "but I use an absentee ballot."